From: GAYNOR, RYAN C. (CD) (FBI) <RCGAYNOR@fbi.sgov.gov> 

Sent: Tuesday, October 4, 2016 10:00 AM 

To: WIERZBICKI, DANIEL S. (CG) (FBI) <DSWIERZBICKI@fbi .sgov.gov>; HEIDE, 
CURTIS A. (CG) (FBI) <CAHEIDE@fbi.sgov.gov>; SANDS, ALLISON (CG) (FBI) 
<ASANDS@fbi.sgov.gov> 

Ce: MOFFA, JONATHAN C. (CD) (FBI) <JCMOFFA@fbi.sgov.gov>; PIENTKA, JOE 
(WF) (FBI) <JPIENTKA@fbi.sgov.gov>; AUTEN, BRIAN J. (CD) (FBI) 
<BJAUTEN@fbi. sgov.gov> 


Subject: RE: Status update on ALFA BANK case --- SZ 


Classification: Po 


Classified By: F24M49K23 
Derived From: FBI NSIC dated 20120629 
Declassify On: 20411231 


Got it and being discussed at HQ. Before we make any decisions on that front, we will need to know what we 
can learn from the logs we have now obtained regarding the nature of the actual activity between Alfa Bank 
and the domain/server. 


CG and MM have done great work on this and it is very much appreciated here. We continue to highlight the 
progress on this matter to CD and CyD leadership on a daily basis. 


Best Regards, 


-Ryan 


From: WIERZBICKI, DANIEL S. (CG) (FBI) 
Sent: Monday, October 03, 2016 3:00 PM 
To: HEIDE, CURTIS A. (CG) (FBI); GAYNOR, RYAN C. (CD) (FBI); SANDS, ALLISON (CG) (FBI) 
Cc: MOFFA, JONATHAN C. (CD) (FBI); PIENTKA, JOE (WF) (FBI); AUTEN, BRIAN J. (CD) (FBI) 
Subject: RE: Status update on ALFA BANK case --- 


Classification: P 


Classified By: F97M34K34 
Derived From: FBI NSIC dated 20120629 
Declassify On: 20411231 


| agree with Curtis...an interview with the source of info would be the logical step in this (as well as any) 
investigation. It may allow us to understand the what and why of the white paper. 


From: HEIDE, CURTIS A. (CG) (FBI) 
Sent: Monday, October 03, 2016 2:49 PM 

To: GAYNOR, RYAN C. (CD) (FBI); SANDS, ALLISON (CG) (FBI) 

Cc: MOFFA, JONATHAN C. (CD) (FBI); PIENTKA, JOE (WF) (FBI); AUTEN, BRIAN J. (CD) (FBI); WIERZBICKI, DANIEL S. 


FBI-DWS-01-0000697 
SCO_FBIPROD_004965 


SCO-006486 
Subject to Protective Order 


(CG) (FBI) 
Subject: RE: Status update on ALFA BANK case --- 


Classification: i 


Classified By: 
Derived From: FBI NSIC dated 20130301 
Declassify On: 20411231 


Yeah, we got the logs from MM so we'll look through those for these IPs. 


We really want to interview the “source” of all this information. Any way we can track down who this guy is 
and how we’re getting this information? 


Curtis 


312-829-8432 


From: GAYNOR, RYAN C. (CD) (FBI) 

Sent: Monday, October 03, 2016 1:48 PM 

To: HEIDE, CURTIS A. (CG) (FBI); SANDS, ALLISON (CG) (FBI) 

Cc: MOFFA, JONATHAN C. (CD) (FBI); PIENTKA, JOE (WF) (FBI); AUTEN, BRIAN J. (CD) (FBI) 
Subject: RE: Status update on ALFA BANK case --- 


Classification: p 


Classified By: F24M49K23 
Derived From: FBI NSIC dated 20120629 
Declassify On: 20411231 


Curtis, 


Just read the lead info on unet. Please try to obtain any background info on how we received the new 
‘anonymous information’ related to the new ‘person of interest’ because | am sure that we will be asked up 
here. The new information just creates more questions for now. One could/might now assume the leaps of 
logic (VPN/TOR etc) within the original white paper were based on the author of the whitepaper having a 
‘Person of Interest’ they started their investigation from? 


Will standby for CG/MM thoughts. 
Thanks all, 


-Ryan 


From: HEIDE, CURTIS A. (CG) (FBI) 

Sent: Monday, October 03, 2016 1:38 PM 

To: GAYNOR, RYAN C. (CD) (FBI); SANDS, ALLISON (CG) (FBI) 

Cc: MOFFA, JONATHAN C. (CD) (FBI); PIENTKA, JOE (WF) (FBI); AUTEN, BRIAN J. (CD) (FBI) 
Subject: RE: Status update on ALFA BANK case --- 


FBI-DWS-01-0000698 
SCO_FBIPROD_004966 


SCO-006487 
Subject to Protective Order 


Classification: ee 


Classified By: 
Derived From: FBI NSIC dated 20130301 
Declassify On: 20411231 


Ryan, 

It appears that Allison is out today. | just got into the office. Hit me up if you need anything. 

We got another lead related to the cyber portion with Alfa Bank. l'Il forward it to everyone on this chain. 
Curtis 


312-829-8432 


From: GAYNOR, RYAN C. (CD) (FBI) 
Sent: Monday, October 03, 2016 7:45 AM 

To: SANDS, ALLISON (CG) (FBI); HEIDE, CURTIS A. (CG) (FBI) 

Cc: MOFFA, JONATHAN C. (CD) (FBI) 

Subject: FW: Status update on ALFA BANK case --- 


Classification: p 


Classified By: F24M49K23 
Derived From: FBI NSIC dated 20120629 
Declassify On: 20411231 


Hope you both had a great weekend. Any Updates for today? Has Miami obtained the server logs from Central 
Dynamics or have a projected timetable for when they will? If not, and if they cannot give a timetable for 
when they will, would it be prudent to serve the NSL on Listrak? 


Thanks, 


-Ryan 


From: GAYNOR, RYAN C. (CD) (FBI) 

Sent: Wednesday, September 28, 2016 2:58 PM 

To: SANDS, ALLISON (CG) (FBI); HEIDE, CURTIS A. (CG) (FBI) 
Subject: RE: Status update on ALFA BANK case --- 


Classification: S| 


Classified By: F24M49K23 
Derived From: FBI NSIC dated 20120629 
Declassify On: 20411231 


FBI-DWS-01-0000699 
SCO _FBIPROD_004967 


SCO-006488 
Subject to Protective Order 


Curtis/Allison, 


Any updates for tomorrow? If possible, any time estimates on when you will have the logs you need to 
conduct the next analysis would be helpful at HQ. 


Thanks, 


-Ryan 


From: SANDS, ALLISON (CG) (FBI) 

Sent: Monday, September 26, 2016 6:20 PM 

To: MARIC, PAUL M. (CD) (FBI); PIENTKA, JOE (WF) (FBI); AUTEN, BRIAN J. (CD) (FBI); STOFER, JOHN F. (CD) (FBI); 
GAYNOR, RYAN C. (CD) (FBI) 

Cc: WIERZBICKI, DANIEL S. (CG) (FBI); HEIDE, CURTIS A. (CG) (FBI) 

Subject: Status update on ALFA BANK case --- 


Classification: M 


Classified By: 
Derived From: FBI NSIC dated 20130301 
Declassify On: 20411231 


Good afternoon, 
We have several updates on the ALFA BANK case to pass along: 


* The agent in Miami who has been working with Central Dynamics received an email from an 
executive at Central Dynamics stating that they checked the servers for the last 30 days, and the only IP they 
detected hitting the server was 167.73.11.8. This is the IP address mentioned in the white paper that resolves 
to SPECTRUM HEALTH. It is unclear at this time what kind of communication was this “hit” is referring to. We 
are still waiting on the server logs to conduct our own forensic investigation of any network activity on this 
domain. 


” NSLs are in draft and will soon be available for delivery to LISTRAK, the ISP that hosts the trump- 
email.com domain, and GoDaddy.com. We will seek to obtain any logs available on the LISTRAK server that 
relate to the trump-email.com domain, and subscriber data, any domains and subdomains affiliated with 
subscriber, IP logs, and billing information on trump-email.com domain from GoDaddy.com 


= Open source research on the current and historical lists of Tor exit nodes published by the Tor 
Project (torporject.org) covering the time period of May 4 2016 - Sept 4 2016, revealed no matches to the 
SPECTRUM HEALTH IP (167.73.110.8). Normally, a Tor exit node would appear in this list if it were active 
during the reviewed time period. Under normal conditions, the historical data used for searching is captured 
at a rate of once per hour, every hour, every day. This is further evidence that the white paper’s claim about 
SPECTRUM HEALTH being an exit node — exclusive for ALFA BANK or otherwise -- is not supported by technical 


FBI-DWS-01-0000700 
SCO_FBIPROD_004968 


SCO-006489 
Subject to Protective Order 


analysis. As far as we know, there is no way to create an exclusive TOR exit node- doing so would by default 


decrease the anonymity of the Tor user. Ill 


As always, |’m happy to answer any questions. 


Best, 


Special Agent Allison Sands 


Chicago Division/ CY-1 
desk: 312-829-8628 


mobile: 312-965-5872 


From: SANDS, ALLISON (CG) (FBI) 

Sent: Friday, September 23, 2016 1:53 PM 

To: SANDS, ALLISON (CG) (FBI); MARIC, PAUL M. (CD) (FBI); PIENTKA, JOE (WF) (FBI); AUTEN, BRIAN J. (CD) (FBI); 
STOFER, JOHN F. (CD) (FBI) 

Cc: WIERZBICKI, DANIEL S. (CG) (FBI); HEIDE, CURTIS A. (CG) (FBI) 

Subject: Status update on ALFA BANK case --- 


Classification: 


Classified By: 
Derived From: FBI NSIC dated 20130301 
Declassify On: 20411231 


Good afternoon, 


Miami followed up this morning with Central Dynamics who confirmed that the mail1.trump-email.com 
domain is an old domain that was set up in approximately 2009 when they were doing business with Trump 
Organization that was never used. They released the domain via GoDaddy to the Trump Organization over a 
year ago; however, the DNS tables were not updated and that domain still pointed to Central Dynamics 
servers. As of this afternoon, a WHOIS look-up revealed that the mail1.trump-email.com no longer resolves 
to Central Dynamics, indicating they likely updated their DNS tables after the FBI informed them of the 
oversight. This email domain is no longer pointing to any active mail server. 


Central Dynamics provided reviewed a picture of a Barracuda (spam filter) service connected to server [trump- 
email.com]. The information displayed by the Barracuda spam filter for trump-email.com indicates that during 
an unspecified time period, 15 inbound emails were received, 1 was allowed to pass through the filter, and 1 
outbound email was marked as spam and blocked. The information provided only reflects email smtp traffic, 
and we have requested that Miami obtain logs for the email server on which the domain was residing to 
identify whether or not there was any other traffic (non-smtp) that indicates malware or another ALFA BANK 
traffic (including the alleged DNS queries) residing on the server. 


FBI-DWS-01-0000701 


SCO_FBIPROD_004969 


SCO-006490 


Subject to Protective Order 


Respectfully, 


Allison Sands 


From: SANDS, ALLISON (CG) (FBI) 

Sent: Thursday, September 22, 2016 4:53 PM 

To: MARIC, PAUL M. (CD) (FBI); PIENTKA, JOE (WF) (FBI); AUTEN, BRIAN J. (CD) (FBI); STOFER, JOHN F. (CD) (FBI) 
Cc: WIERZBICKI, DANIEL S. (CG) (FBI); HEIDE, CURTIS A. (CG) (FBI) 

Subject: RE: Status update on ALFA BANK case --- 


Classification: 


Classified By: 
Derived From: FBI NSIC dated 20130301 
Declassify On: 20411231 


Miami made contact with Central Dynamics, who confirmed that trump-email.com is a legitimate mail server 
that is used by Trump Hotels. Agent spoke to an executive at Central Dynamics, who agreed to cooperate with 
the FBI and will provide logs as requested. Agent will return to Central Dynamics tomorrow morning to meet 
with the technology support staff. We will provide Central Dynamics with the three IP addresses of specific 
interest for ALFA BANK and SPECTRUM HEALTH and specifically request for any logs related to that network 
traffic. Central Dynamics also provides email support for Trump.com, but moved the trump.com email servers 
to another server due to the high frequency of malicious attacks to those accounts. 


Best, 
Special Agent Allison Sands 


Chicago Division/ CY-1 
desk: 312-829-8628 


mobile: 312-965-5872 


From: SANDS, ALLISON (CG) (FBI) 

Sent: Thursday, September 22, 2016 4:22 PM 

To: PIENTKA, JOE (WF) (FBI); AUTEN, BRIAN J. (CD) (FBI); STOFER, JOHN F. (CD) (FBI); MARIC, PAUL M. (CD) (FBI) 
Cc: WIERZBICKI, DANIEL S. (CG) (FBI); HEIDE, CURTIS A. (CG) (FBI) 

Subject: Status update on ALFA BANK case --- 


Classification: A 


Classified By: 
Derived From: FBI NSIC dated 20130301 
Declassify On: 20261231 


FBI-DWS-01-00007/02 
SCO_FBIPROD_004970 


SCO-006491 
Subject to Protective Order 


Good afternoon, 


As of 1500 today 9/22/16, CG CY-1 have conducted the following investigation actions in support of the 
forthcoming case on ALFA BANK: 


a FBI CG CY-1 submitted an EC to open a full investigation - pending ASAC and SAC approval 
> CY-1 Computer scientists extracted files from source thumb drive for future analysis on OPWAN. 
+ Case agents coordinated with Cyber Division (POC Scott Hellman) to examine technical 


inconsistencies in the white papers methodologies and conclusions. Overall, ECOU assesses that the claims put 
forth in the white paper are invalid. Some key points: 


O There is no network traffic between the ALFA BANK and the trump-email.com domains, only DNS 
queries; 
O There is no evidence to support that the suspect email is currently tied to the TRUMP 


ORGANIZATION- the details of the registration do not match any of the legitimate TRUMP ORGANIZATION mail 
servers; 


O An error message on port 25 does not indicate that the server is set up specifically to only 
communicate to designated IP addresses; and 


O A “secret” communications portal is unlikely to have “email” or “trump” in the domain name and 
would unlikely communicate directly to ALFA ABNK’s IP address. 


O There is a lack of supporting evidence tying the ALFA BANK to the SPECTRUM HEALTH DNS queries. 


+ Case agents researched the legitimate mail servers affiliated with trump.com, and mail1.trump- 
email.com is not among them. Trump.com appears to be protected by a anti-DDOS service called CLOUDFARE 
in San Francisco, where trump-email.com does not. 


è Research on the trump-email.com domain, the parent domain to the suspect mail1.trump- 
email.com, revealed that the domain is registered to Central Dynamics Corporation, Boca Raton, FL. According 
to open source, Central Dynamics provides IT services to the Hotel industry that did some marketing for the 
Trump Organization in approximately 2007-2009 (the mail1.trump-email.com domains was created in August 
2009). Case agents cut a lead to Miami (POC SSA Jason Manar) to contact Central Dynamics to gather 
information about the trump-email.com domain using a ruse that the FBI is contacting them to see if this is a 
legitimate email account and not a spoof email account having the potential to send spear-phishing or other 
cyber criminal threats, and Highlight that the Registrant Organization was listed as Trump Orgainzation [sic] 
which could be an indication of malicious intent. Requested server logs if possible. 


> A WHOIS search revealed that the suspect email domain is being hosted on a Listrak server in Litiz, 
PA. Case agents contacted Philadelphia (POC SA Joshua Hubiak) and put Harriburg RA on standby to contact 
Listrak to gather any information possible about the trump-email.com domain. Philadelphia will wait to 
approach Listrak pending the outcome of the conversation with Central Dynamics. (NSL will be issued 
tomorrow if warranted) 


FBI-DWS-01-0000703 
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= IP addresses associated with the suspect email domain mail1.trump-email.com (IP address 
66.216.133.29) and SPECTRUM HEALTH, the suspected TOR exit node (IP address 167.73.110.8) were run 
through Lighthouse records (POC David Garn). Results are as follows: 


O Over the last six months, there are hits for IP address 167.73.110.8 on several CMs, all of which are 
China related. Going back further than six months, there was occasional activity on several FBI pE 


GEE CMs (100 to 200 packets during a 24-hour period) [a 
a 


O There is far less in LH related to IP address 66.216.133.29. The only traffic in all of 2016 that the 
search tool found was a two-packet instance of traffic on 15 February 2016 recorded by a China-related FBI 
CM. 


Respectfully, 


Special Agent Allison Sands 


Chicago Division/ CY-1 
desk: 312-829-8628 


mobile: 312-965-5872 


T a a ` add A . 
Classification: 


Classification: 
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